@jaypie/constructs 1.2.8 → 1.2.10

package/dist/cjs/index.cjs

@@ -3,7 +3,6 @@
 var cdk = require('aws-cdk-lib');
 var s3 = require('aws-cdk-lib/aws-s3');
 var constructs = require('constructs');
-var acm = require('aws-cdk-lib/aws-certificatemanager');
 var apiGateway = require('aws-cdk-lib/aws-apigateway');
 var route53 = require('aws-cdk-lib/aws-route53');
 var route53Targets = require('aws-cdk-lib/aws-route53-targets');
@@ -11,6 +10,7 @@ var secretsmanager = require('aws-cdk-lib/aws-secretsmanager');
 var datadogCdkConstructsV2 = require('datadog-cdk-constructs-v2');
 var errors = require('@jaypie/errors');
 var awsIam = require('aws-cdk-lib/aws-iam');
+var acm = require('aws-cdk-lib/aws-certificatemanager');
 var lambda = require('aws-cdk-lib/aws-lambda');
 var logDestinations = require('aws-cdk-lib/aws-logs-destinations');
 var s3n = require('aws-cdk-lib/aws-s3-notifications');
@@ -47,11 +47,11 @@ function _interopNamespaceDefault(e) {
 
 var cdk__namespace = /*#__PURE__*/_interopNamespaceDefault(cdk);
 var s3__namespace = /*#__PURE__*/_interopNamespaceDefault(s3);
-var acm__namespace = /*#__PURE__*/_interopNamespaceDefault(acm);
 var apiGateway__namespace = /*#__PURE__*/_interopNamespaceDefault(apiGateway);
 var route53__namespace = /*#__PURE__*/_interopNamespaceDefault(route53);
 var route53Targets__namespace = /*#__PURE__*/_interopNamespaceDefault(route53Targets);
 var secretsmanager__namespace = /*#__PURE__*/_interopNamespaceDefault(secretsmanager);
+var acm__namespace = /*#__PURE__*/_interopNamespaceDefault(acm);
 var lambda__namespace = /*#__PURE__*/_interopNamespaceDefault(lambda);
 var logDestinations__namespace = /*#__PURE__*/_interopNamespaceDefault(logDestinations);
 var s3n__namespace = /*#__PURE__*/_interopNamespaceDefault(s3n);
@@ -135,7 +135,7 @@ const CDK$2 = {
     },
     DURATION: {
         EXPRESS_API: 30,
-        CLOUDFRONT_API: 180,
+        CLOUDFRONT_API: 120,
         LAMBDA_MAXIMUM: 900,
         LAMBDA_WORKER: 900,
     },
@@ -476,6 +476,111 @@ function extendDatadogRole(scope, options) {
     return datadogCustomPolicy;
 }
 
+// Cache: Stack -> (domain -> certificate)
+// Using WeakMap for automatic garbage collection when stacks are destroyed
+const certificateCache = new WeakMap();
+/**
+ * Resolves a certificate based on input type.
+ *
+ * Key behavior: When certificate is `true`, the certificate is created at the
+ * STACK level (not construct level) and cached by domain name. This allows
+ * swapping between constructs (e.g., JaypieDistribution to JaypieApiGateway)
+ * without recreating the certificate.
+ *
+ * @param scope - The construct scope (used to find the stack)
+ * @param options - Certificate resolution options
+ * @returns The resolved certificate, or undefined if certificate is false
+ *
+ * @example
+ * // Create or get cached certificate at stack level
+ * const cert = resolveCertificate(this, {
+ *   certificate: true,
+ *   domainName: "api.example.com",
+ *   zone: hostedZone,
+ * });
+ *
+ * @example
+ * // Use existing certificate
+ * const cert = resolveCertificate(this, {
+ *   certificate: existingCert,
+ *   domainName: "api.example.com",
+ *   zone: hostedZone,
+ * });
+ *
+ * @example
+ * // Import certificate from ARN
+ * const cert = resolveCertificate(this, {
+ *   certificate: "arn:aws:acm:us-east-1:123456789:certificate/abc-123",
+ *   domainName: "api.example.com",
+ *   zone: hostedZone,
+ * });
+ */
+function resolveCertificate(scope, options) {
+    const { certificate, domainName, name = "Certificate", roleTag = CDK$2.ROLE.API, zone, } = options;
+    // false = no certificate
+    if (certificate === false) {
+        return undefined;
+    }
+    // ICertificate passed directly - use as-is
+    if (typeof certificate === "object" && certificate !== null) {
+        return certificate;
+    }
+    // ARN string - import from ARN
+    if (typeof certificate === "string") {
+        // Sanitize domain for construct ID
+        const sanitizedDomain = sanitizeDomainForId(domainName);
+        return acm__namespace.Certificate.fromCertificateArn(scope, `${name}-${sanitizedDomain}`, certificate);
+    }
+    // true (default) = create at STACK level with caching
+    const stack = cdk.Stack.of(scope);
+    // Get or create cache for this stack
+    let stackCache = certificateCache.get(stack);
+    if (!stackCache) {
+        stackCache = new Map();
+        certificateCache.set(stack, stackCache);
+    }
+    // Return cached certificate if one exists for this domain
+    const cached = stackCache.get(domainName);
+    if (cached) {
+        return cached;
+    }
+    // Create certificate at STACK level (not construct level!)
+    // This is the key difference - the certificate's lifecycle is tied to the stack,
+    // not to the individual construct that requested it
+    const sanitizedDomain = sanitizeDomainForId(domainName);
+    const cert = new acm__namespace.Certificate(stack, `${name}-${sanitizedDomain}`, {
+        domainName,
+        validation: acm__namespace.CertificateValidation.fromDns(zone),
+    });
+    cdk.Tags.of(cert).add(CDK$2.TAG.ROLE, roleTag);
+    // Cache for future requests
+    stackCache.set(domainName, cert);
+    return cert;
+}
+/**
+ * Sanitizes a domain name for use in CDK construct IDs.
+ * CDK construct IDs can only contain alphanumeric characters and hyphens.
+ */
+function sanitizeDomainForId(domain) {
+    return domain.replace(/\./g, "-").replace(/[^a-zA-Z0-9-]/g, "");
+}
+/**
+ * Clears the certificate cache for a specific stack.
+ * Primarily useful for testing.
+ */
+function clearCertificateCache(stack) {
+    certificateCache.delete(stack);
+}
+/**
+ * Clears all certificate caches.
+ * Primarily useful for testing.
+ */
+function clearAllCertificateCaches() {
+    // WeakMap doesn't have a clear() method, so we create a new one
+    // This is a no-op since we can't actually clear a WeakMap,
+    // but stacks going out of scope will be garbage collected anyway
+}
+
 /**
  * Check if the current environment matches the given environment
  */
@@ -805,34 +910,34 @@ const resolveParamsAndSecrets = ({ paramsAndSecrets, options, } = {}) => {
 };
 
 // It is a consumer if the environment is ephemeral
-function checkEnvIsConsumer(env = process.env) {
+function checkEnvIsConsumer$1(env = process.env) {
     return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
         !!env.CDK_ENV_PERSONAL ||
         /** @deprecated */ env.PROJECT_ENV === "ephemeral" ||
         /** @deprecated */ !!env.CDK_ENV_EPHEMERAL);
 }
-function checkEnvIsProvider(env = process.env) {
+function checkEnvIsProvider$1(env = process.env) {
     return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
 }
-function cleanName(name) {
+function cleanName$1(name) {
     return name.replace(/[^a-zA-Z0-9:-]/g, "");
 }
-function exportEnvName(name, env = process.env) {
+function exportEnvName$1(name, env = process.env) {
     let rawName;
-    if (checkEnvIsProvider(env)) {
+    if (checkEnvIsProvider$1(env)) {
         rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
         // Clean the entire name to only allow alphanumeric, colons, and hyphens
-        return cleanName(rawName);
+        return cleanName$1(rawName);
     }
     else {
-        if (checkEnvIsConsumer(env)) {
+        if (checkEnvIsConsumer$1(env)) {
             rawName = `env-${CDK$2.ENV.SANDBOX}-${env.PROJECT_KEY}-${name}`;
         }
         else {
             rawName = `env-${env.PROJECT_ENV}-${env.PROJECT_KEY}-${name}`;
         }
     }
-    return cleanName(rawName);
+    return cleanName$1(rawName);
 }
 class JaypieEnvSecret extends constructs.Construct {
     constructor(scope, idOrEnvKey, props) {
@@ -844,15 +949,15 @@ class JaypieEnvSecret extends constructs.Construct {
             process.env[idOrEnvKey] !== "";
         const id = treatAsEnvKey ? `EnvSecret_${idOrEnvKey}` : idOrEnvKey;
         super(scope, id);
-        const { consumer = checkEnvIsConsumer(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider(), roleTag, vendorTag, value, } = props || {};
+        const { consumer = checkEnvIsConsumer$1(), envKey: envKeyProp, export: exportParam, generateSecretString, provider = checkEnvIsProvider$1(), roleTag, vendorTag, value, } = props || {};
         const envKey = treatAsEnvKey ? idOrEnvKey : envKeyProp;
         this._envKey = envKey;
         let exportName;
         if (!exportParam) {
-            exportName = exportEnvName(id);
+            exportName = exportEnvName$1(id);
         }
         else {
-            exportName = cleanName(exportParam);
+            exportName = cleanName$1(exportParam);
         }
         if (consumer) {
             const secretName = cdk.Fn.importValue(exportName);
@@ -1065,22 +1170,18 @@ class JaypieApiGateway extends constructs.Construct {
             }
         }
         const apiGatewayName = name || constructEnvName("ApiGateway");
-        const certificateName = constructEnvName("Certificate");
         const apiDomainName = constructEnvName("ApiDomainName");
         let hostedZone;
         let certificateToUse;
         if (host && zone) {
             hostedZone = resolveHostedZone(this, { zone });
-            if (certificate === true) {
-                certificateToUse = new acm__namespace.Certificate(this, certificateName, {
-                    domainName: host,
-                    validation: acm__namespace.CertificateValidation.fromDns(hostedZone),
-                });
-                cdk.Tags.of(certificateToUse).add(CDK$2.TAG.ROLE, CDK$2.ROLE.HOSTING);
-            }
-            else if (typeof certificate === "object") {
-                certificateToUse = certificate;
-            }
+            // Use resolveCertificate to create certificate at stack level (enables reuse when swapping constructs)
+            certificateToUse = resolveCertificate(this, {
+                certificate,
+                domainName: host,
+                roleTag: CDK$2.ROLE.HOSTING,
+                zone: hostedZone,
+            });
             this._certificate = certificateToUse;
             this._host = host;
         }
@@ -1840,6 +1941,238 @@ class JaypieBucketQueuedLambda extends JaypieQueuedLambda {
     }
 }
 
+// Check if environment is a consumer (personal/ephemeral builds import from sandbox)
+function checkEnvIsConsumer(env = process.env) {
+    return (env.PROJECT_ENV === CDK$2.ENV.PERSONAL ||
+        !!env.CDK_ENV_PERSONAL ||
+        env.PROJECT_ENV === "ephemeral" ||
+        !!env.CDK_ENV_EPHEMERAL);
+}
+// Check if environment is a provider (sandbox exports for consumers)
+function checkEnvIsProvider(env = process.env) {
+    return env.PROJECT_ENV === CDK$2.ENV.SANDBOX;
+}
+// Sanitize export name to only allow alphanumeric, colons, and hyphens
+function cleanName(name) {
+    return name.replace(/[^a-zA-Z0-9:-]/g, "");
+}
+// Generate export name based on environment
+function exportEnvName(name, env = process.env) {
+    const projectKey = env.PROJECT_KEY || "default";
+    let rawName;
+    if (checkEnvIsProvider(env)) {
+        rawName = `env-${env.PROJECT_ENV}-${projectKey}-cert-${name}`;
+    }
+    else if (checkEnvIsConsumer(env)) {
+        rawName = `env-${CDK$2.ENV.SANDBOX}-${projectKey}-cert-${name}`;
+    }
+    else {
+        rawName = `env-${env.PROJECT_ENV || "default"}-${projectKey}-cert-${name}`;
+    }
+    return cleanName(rawName);
+}
+// Resolve domain name from props or environment (called before super)
+function resolveDomainNameFromProps(props) {
+    if (props?.domainName) {
+        return props.domainName;
+    }
+    if (process.env.CDK_ENV_API_HOST_NAME) {
+        return process.env.CDK_ENV_API_HOST_NAME;
+    }
+    if (process.env.CDK_ENV_API_SUBDOMAIN) {
+        return mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE ||
+            process.env.CDK_ENV_HOSTED_ZONE ||
+            "");
+    }
+    return undefined;
+}
+// Sanitize domain for construct ID
+function sanitizeDomain(domain) {
+    return domain.replace(/\./g, "-");
+}
+/**
+ * A standalone certificate construct that can be shared across constructs.
+ *
+ * Key feature: Uses the same `resolveCertificate()` helper as JaypieDistribution,
+ * JaypieApiGateway, etc. This means:
+ * - Certificates are created at the stack level and cached by domain
+ * - You can "take over" a certificate from another construct by using the same domain
+ * - Swapping between JaypieDistribution and JaypieApiGateway won't recreate certs
+ *
+ * Supports flexible constructor signatures:
+ * - `new JaypieCertificate(scope)` - uses environment defaults
+ * - `new JaypieCertificate(scope, props)` - ID auto-generated from domain
+ * - `new JaypieCertificate(scope, id, props)` - explicit ID
+ *
+ * @example
+ * // Minimal - uses environment variables for domain/zone
+ * const cert = new JaypieCertificate(this);
+ *
+ * @example
+ * // With options - ID auto-generated as "JaypieCert-api-example-com"
+ * const cert = new JaypieCertificate(this, {
+ *   domainName: "api.example.com",
+ *   zone: "example.com",
+ * });
+ *
+ * @example
+ * // Explicit ID - useful when you need a specific construct ID
+ * const cert = new JaypieCertificate(this, "MyApiCert", {
+ *   domainName: "api.example.com",
+ *   zone: "example.com",
+ * });
+ *
+ * @example
+ * // Take over from JaypieDistribution (uses same ID format)
+ * // After removing JaypieDistribution with certificate: true
+ * const cert = new JaypieCertificate(this, {
+ *   domainName: "api.example.com",
+ *   zone: "example.com",
+ * });
+ *
+ * @example
+ * // Provider/consumer pattern for cross-stack sharing
+ * // In sandbox stack:
+ * new JaypieCertificate(this, { provider: true });
+ *
+ * // In personal build:
+ * new JaypieCertificate(this, { consumer: true });
+ */
+class JaypieCertificate extends constructs.Construct {
+    constructor(scope, idOrProps, maybeProps) {
+        // Resolve constructor arguments
+        let id;
+        let props;
+        if (typeof idOrProps === "string") {
+            // (scope, id, props) pattern
+            id = idOrProps;
+            props = maybeProps || {};
+        }
+        else if (typeof idOrProps === "object" && idOrProps !== null) {
+            // (scope, props) pattern - auto-generate id
+            props = idOrProps;
+            const domainName = resolveDomainNameFromProps(props);
+            if (domainName) {
+                // Use "JaypieCert-" prefix to avoid collision with internal certificate
+                id = props.id || `JaypieCert-${sanitizeDomain(domainName)}`;
+            }
+            else {
+                id = props.id || "JaypieCert";
+            }
+        }
+        else {
+            // (scope) pattern - no id, no props
+            props = {};
+            const domainName = resolveDomainNameFromProps(props);
+            if (domainName) {
+                id = `JaypieCert-${sanitizeDomain(domainName)}`;
+            }
+            else {
+                id = "JaypieCert";
+            }
+        }
+        super(scope, id);
+        const { consumer = checkEnvIsConsumer(), domainName: propsDomainName, export: exportParam, provider = checkEnvIsProvider(), roleTag = CDK$2.ROLE.API, zone: propsZone, } = props;
+        // Validate environment variables
+        if (process.env.CDK_ENV_API_SUBDOMAIN &&
+            !isValidSubdomain(process.env.CDK_ENV_API_SUBDOMAIN)) {
+            throw new Error("CDK_ENV_API_SUBDOMAIN is not a valid subdomain");
+        }
+        if (process.env.CDK_ENV_API_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_API_HOSTED_ZONE)) {
+            throw new Error("CDK_ENV_API_HOSTED_ZONE is not a valid hostname");
+        }
+        if (process.env.CDK_ENV_HOSTED_ZONE &&
+            !isValidHostname$1(process.env.CDK_ENV_HOSTED_ZONE)) {
+            throw new Error("CDK_ENV_HOSTED_ZONE is not a valid hostname");
+        }
+        // Determine domain name from props or environment
+        let domainName = propsDomainName;
+        if (!domainName) {
+            if (process.env.CDK_ENV_API_HOST_NAME) {
+                domainName = process.env.CDK_ENV_API_HOST_NAME;
+            }
+            else if (process.env.CDK_ENV_API_SUBDOMAIN) {
+                domainName = mergeDomain(process.env.CDK_ENV_API_SUBDOMAIN, process.env.CDK_ENV_API_HOSTED_ZONE ||
+                    process.env.CDK_ENV_HOSTED_ZONE ||
+                    "");
+            }
+        }
+        if (!domainName) {
+            throw new Error("domainName is required for JaypieCertificate (or set CDK_ENV_API_HOST_NAME / CDK_ENV_API_SUBDOMAIN)");
+        }
+        if (!isValidHostname$1(domainName)) {
+            throw new Error("domainName is not a valid hostname");
+        }
+        this.domainName = domainName;
+        // Determine zone from props or environment
+        const zone = propsZone ||
+            process.env.CDK_ENV_API_HOSTED_ZONE ||
+            process.env.CDK_ENV_HOSTED_ZONE;
+        // Generate export name
+        const sanitizedDomain = domainName.replace(/\./g, "-");
+        const exportName = exportParam
+            ? cleanName(exportParam)
+            : exportEnvName(sanitizedDomain);
+        if (consumer) {
+            // Import certificate ARN from provider stack
+            const certificateArn = cdk.Fn.importValue(exportName);
+            this.certificate = acm__namespace.Certificate.fromCertificateArn(this, "ImportedCertificate", certificateArn);
+            this.certificateArn = certificateArn;
+            new cdk.CfnOutput(this, "ConsumedCertificateArn", {
+                value: this.certificateArn,
+            });
+        }
+        else {
+            // Create or get cached certificate at stack level
+            if (!zone) {
+                throw new Error("zone is required for JaypieCertificate when not consuming (or set CDK_ENV_API_HOSTED_ZONE / CDK_ENV_HOSTED_ZONE)");
+            }
+            const hostedZone = resolveHostedZone(this, { zone });
+            // Use resolveCertificate to create at stack level (enables sharing)
+            const cert = resolveCertificate(this, {
+                certificate: true,
+                domainName,
+                roleTag,
+                zone: hostedZone,
+            });
+            if (!cert) {
+                throw new Error("Failed to create certificate");
+            }
+            this.certificate = cert;
+            this.certificateArn = cert.certificateArn;
+            if (provider) {
+                new cdk.CfnOutput(this, "ProvidedCertificateArn", {
+                    value: this.certificateArn,
+                    exportName,
+                });
+            }
+            else {
+                new cdk.CfnOutput(this, "CertificateArn", {
+                    value: this.certificateArn,
+                });
+            }
+        }
+    }
+    // IResource implementation
+    get stack() {
+        return cdk.Stack.of(this);
+    }
+    get env() {
+        return {
+            account: cdk.Stack.of(this).account,
+            region: cdk.Stack.of(this).region,
+        };
+    }
+    applyRemovalPolicy(policy) {
+        this.certificate.applyRemovalPolicy(policy);
+    }
+    // ICertificate implementation
+    metricDaysToExpiry(props) {
+        return this.certificate.metricDaysToExpiry(props);
+    }
+}
+
 class JaypieDatadogBucket extends constructs.Construct {
     /**
      * Create a new S3 bucket for Datadog log archiving with automatic IAM permissions
@@ -2117,16 +2450,13 @@ class JaypieDistribution extends constructs.Construct {
         let certificateToUse;
         if (host && zone && certificateProp !== false) {
             hostedZone = resolveHostedZone(this, { zone });
-            if (certificateProp === true) {
-                certificateToUse = new acm__namespace.Certificate(this, constructEnvName("Certificate"), {
-                    domainName: host,
-                    validation: acm__namespace.CertificateValidation.fromDns(hostedZone),
-                });
-                cdk.Tags.of(certificateToUse).add(CDK$2.TAG.ROLE, roleTag);
-            }
-            else if (typeof certificateProp === "object") {
-                certificateToUse = certificateProp;
-            }
+            // Use resolveCertificate to create certificate at stack level (enables reuse when swapping constructs)
+            certificateToUse = resolveCertificate(this, {
+                certificate: certificateProp,
+                domainName: host,
+                roleTag,
+                zone: hostedZone,
+            });
             this.certificate = certificateToUse;
         }
         // Create log bucket if logging is enabled
@@ -3613,19 +3943,17 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
             else {
                 hostedZone = zone;
             }
-            // Create certificate if not provided
-            if (props.certificate !== false) {
-                this.certificate =
-                    typeof props.certificate === "object"
-                        ? props.certificate
-                        : new acm__namespace.Certificate(this, "Certificate", {
-                            domainName: host,
-                            validation: acm__namespace.CertificateValidation.fromDns(hostedZone),
-                        });
+            // Use resolveCertificate to create certificate at stack level (enables reuse when swapping constructs)
+            this.certificate = resolveCertificate(this, {
+                certificate: props.certificate,
+                domainName: host,
+                roleTag,
+                zone: hostedZone,
+            });
+            if (this.certificate) {
                 new cdk.CfnOutput(this, "CertificateArn", {
                     value: this.certificate.certificateArn,
                 });
-                cdk.Tags.of(this.certificate).add(CDK$2.TAG.ROLE, roleTag);
             }
             // Create CloudFront distribution
             this.distribution = new cloudfront__namespace.Distribution(this, "Distribution", {
@@ -3873,6 +4201,7 @@ exports.JaypieAccountLoggingBucket = JaypieAccountLoggingBucket;
 exports.JaypieApiGateway = JaypieApiGateway;
 exports.JaypieAppStack = JaypieAppStack;
 exports.JaypieBucketQueuedLambda = JaypieBucketQueuedLambda;
+exports.JaypieCertificate = JaypieCertificate;
 exports.JaypieDatadogBucket = JaypieDatadogBucket;
 exports.JaypieDatadogForwarder = JaypieDatadogForwarder;
 exports.JaypieDatadogSecret = JaypieDatadogSecret;
@@ -3900,7 +4229,9 @@ exports.JaypieTraceSigningKeySecret = JaypieTraceSigningKeySecret;
 exports.JaypieWebDeploymentBucket = JaypieWebDeploymentBucket;
 exports.LAMBDA_WEB_ADAPTER = LAMBDA_WEB_ADAPTER;
 exports.addDatadogLayers = addDatadogLayers;
+exports.clearAllCertificateCaches = clearAllCertificateCaches;
 exports.clearAllSecretsCaches = clearAllSecretsCaches;
+exports.clearCertificateCache = clearCertificateCache;
 exports.clearSecretsCache = clearSecretsCache;
 exports.constructEnvName = constructEnvName;
 exports.constructStackName = constructStackName;
@@ -3914,6 +4245,7 @@ exports.isValidHostname = isValidHostname$1;
 exports.isValidSubdomain = isValidSubdomain;
 exports.jaypieLambdaEnv = jaypieLambdaEnv;
 exports.mergeDomain = mergeDomain;
+exports.resolveCertificate = resolveCertificate;
 exports.resolveDatadogForwarderFunction = resolveDatadogForwarderFunction;
 exports.resolveDatadogLayers = resolveDatadogLayers;
 exports.resolveDatadogLoggingDestination = resolveDatadogLoggingDestination;